domains and forests

8/18/2019 Domains and Forests

http://slidepdf.com/reader/full/domains-and-forests 1/48

1

What Are Domains and Forests?

Updated: November 19, 2014

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 withSP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2,Windows Server 2012, Windows Server 2012 R2

What Are Domains and Forests?

In this section

The Logical Structure of Active Directory

The Physical Structure of Active Directory

What Are Domains?

What Are Forests?

Related Information

The Active Directory directory service is a distributed database that stores and managesinformation about network resources, as well as application-specific data from directory-enabled applications. Active Directory allows administrators to organize objects of a network(such as users, computers, and devices) into a hierarchical collection of containers known asthe logical structure. The top-level logical container in this hierarchy is the forest. Within aforest are domain containers, and within domains are organizational units.

Note

In Windows 2000 Server and Windows Server 2003, the directory service is named ActiveDirectory. In Windows Server 2008 and Windows Server 2008 R2, the directory service isnamed Active Directory Domain Services (AD DS). The rest of this topic refers to ActiveDirectory, but the information is also applicable to Active Directory Domain Services.

Understanding domains and forests requires understanding the possible relationships theymight have in Active Directory. The relationships between these logical containers might be

based on administrative requirements, such as delegation of authority, or they might be

defined by operational requirements, such as the need to provide for data isolation. Serviceadministrators can use domain and forest containers to meet a number of specificrequirements, including:

Implementing an authentication and authorization strategy for sharing resources acrossa network

Providing a mechanism for centralizing management of multiple domains and forests

Providing an information repository and services to make information available tousers and applications

https://technet.microsoft.com/en-us/library/cc759073%28v=ws.10%29.aspx#w2k3tr_logic_what_orxw


https://technet.microsoft.com/en-us/library/cc759073%28v=ws.10%29.aspx#w2k3tr_logic_what_feaw


https://technet.microsoft.com/en-us/library/cc759073%28v=ws.10%29.aspx#w2k3tr_logic_what_yokf


https://technet.microsoft.com/en-us/library/cc759073%28v=ws.10%29.aspx#w2k3tr_logic_what_ovkc


https://technet.microsoft.com/en-us/library/cc759073%28v=ws.10%29.aspx#w2k3tr_logic_what_pwxq









2

Organizing objects of a network (such as users, computers, devices, resources, andapplication specific data from directory-enabled applications) into a non-physicalhierarchical structure

To learn more about domains and forests, you must first understand the logical and physicalstructures of Active Directory. This section describes how those structures differ, and definesdomains and forests in terms of the logical structure.

The Logical Structure of Active Directory

Active Directory stores network object information and implements the services that makethis information available and usable to users. Active Directory presents this informationthrough a standardized, logical structure that helps you establish and understand theorganization of domains and domain resources in a useful way. This presentation of objectinformation is referred to as the logical structure because it is independent of the physicalaspects of the Active Directory infrastructure, such as the domain controllers required foreach domain in the network.

Benefits of the Logical Structure

The logical structure provides a number of benefits for deploying, managing, and securingnetwork services and resources. These benefits include:

Increased network security. The logical structure can provide security measures suchas autonomy for individual groups or complete isolation of specific resources.

Simplified network management. The hierarchical nature of the logical structuresimplifies configuration, control, and administration of the network, includingmanaging user and group accounts and all network resources.

Simplified resource sharing. The logical structure of domains and forests and therelationships established between them can simplify the sharing of resources across anorganization.

Low total cost of ownership. The reduced administration costs for networkmanagement and the reduced load on network resources that can be achieved with theActive Directory logical structure can significantly lower the total cost of ownership.

An efficient Active Directory logical structure also facilitates the system integration offeatures such as Group Policy, enabling desktop lockdown, software distribution, and

administration of users, groups, workstations, and servers. In addition, the logical structurecan facilitate the integration of services such as Exchange 2000, public key infrastructure(PKI), and domain-based distributed file system (DFS).

Components of the Logical Structure

The logical structure consists of leaf object and container object components that mustconform to the hierarchical structure of an Active Directory forest. Leaf objects are objectsthat have no child objects, and are the most basic component of the logical structure.Container objects store other objects and occupy a specific level within the forest hierarchy.



3

The relationships among the components of the logical structure control access to stored dataand determine how that data is managed across one or more domains within a single forest.The components that make up the Active Directory logical structure are described in thefollowing table.

Components of the Active Directory Logical Structure

Component Description

OrganizationalUnits

Organizational units are container objects. You use these container objects toarrange other objects in a manner that supports your administrative purposes.By arranging objects in organizational units, you make it easier to locate andmanage them. You can also delegate the authority to manage anorganizational unit. Organizational units can be nested in other organizationalunits.

You can arrange objects that have similar administrative and security

requirements into organizational units. Organizational units provide multiplelevels of administrative authority, so that you can apply Group Policysettings and delegate administrative control. This delegation simplifies thetask of managing these objects and enables you to structure Active Directoryto fit your organization’s requirements.

Domains

Domains are container objects. Domains are a collection of administrativelydefined objects that share a common directory database, security policies, andtrust relationships with other domains. In this way, each domain is anadministrative boundary for objects. A single domain can span multiple

physical locations or sites and can contain millions of objects.

Domain Trees

Domain trees are collections of domains that are grouped together inhierarchical structures. When you add a domain to a tree, it becomes a childof the tree root domain. The domain to which a child domain is attached iscalled the parent domain.

A child domain might in turn have its own child domain. The name of a childdomain is combined with the name of its parent domain to form its ownunique Domain Name System (DNS) name such as Corp.nwtraders.msft. Inthis manner, a tree has a contiguous namespace.

Forests

A forest is a complete instance of Active Directory. Each forest acts as a top-level container in that it houses all domain containers for that particular

Active Directory instance. A forest can contain one or more domain containerobjects, all of which share a common logical structure, global catalog,directory schema, and directory configuration, as well as automatic two-waytransitive trust relationships. The first domain in the forest is called the forestroot domain. The name of that domain refers to the forest, such as

Nwtraders.msft. By default, information in Active Directory is shared onlywithin the forest. In this way, the forest is a security boundary for theinformation that is contained in that instance of Active Directory.

Site ObjectsSites are leaf and container objects. The sites container is the topmost objectin the hierarchy of objects that are used to manage and implement Active

Directory replication. The sites container stores the hierarchy of objects that



4

are used by the Knowledge Consistency Checker (KCC) to effect thereplication topology. Some of the objects located in the sites containerinclude NTDS Site Settings objects, subnet objects, connection objects,server objects, and site objects (one site object for each site in the forest). Thehierarchy is displayed as the contents of the Sites container, which is a childof the Configuration container.

By understanding the purpose and hierarchical structure of these components, you cancomplete a variety of tasks, including installing, configuring, managing, and troubleshootingActive Directory. Although the logical structure of Active Directory is a hierarchicalorganization of all users, computers, and other physical resources, the forest and domain formthe basis of the logical structure.

Forests, which are the security boundaries of the logical structure, can be structured to providedata and service autonomy and isolation in an organization in ways that can both reflect siteand group identities and remove dependencies on the physical topology. Domains can bestructured within a forest to provide data and service autonomy (but not isolation) and tooptimize replication with a given region.

This separation of logical and physical structures improves manageability and reducesadministrative costs because the logical structure is not impacted by changes in the physicalstructure, such as the addition, removal, or reorganization of users and groups.

Note

You can view and manage components of the logical structure by using the ActiveDirectory Users and Computers, Active Directory Domains and Trusts, and ActiveDirectory Schema Microsoft Management Console (MMC) snap-ins, and other tools.

The Physical Structure of Active Directory

The physical structure of Active Directory is represented by a set of physical componentswhich, when configured correctly, can help optimize the transmission of network replicationand authentication in ways specifically tailored to fit your physical network. Physical networkcomponents, such as domain controllers and physical subnets, are used to facilitate networkcommunication and to set physical boundaries around network resources. More specifically,the physical structure of Active Directory represents all of the physical subnets in yourenterprise network, the domain controllers in those physical subnets (commonly referred to asSites in Active Directory) and the replication connections between the domain controllers.

Sites and subnets are represented in Active Directory by site and subnet objects. Computerson TCP/IP networks are assigned to site objects based on their location in a physical subnet ora set of physical subnets. Physical subnets group computers in a way that identifies their

physical proximity on the network. Each site object is associated with one or more subnetobjects. Subnet objects are used during the process of domain controller location to find adomain controller in the same site as the computer that is logging on. This information also isused during Active Directory replication to determine the best routes between domaincontrollers. This enables you to use network bandwidth more efficiently. For example, itensures that when users log on to the network they are authenticated by the authenticationauthority nearest to the user, thus reducing the amount of network traffic.



5

The physical domain controller contains the directory partitions that are replicated. Althoughthe logical and physical structures are defined and configured independently, they haveinterdependencies that affect replication.

Note

You can view the physical structure of Active Directory by using Active DirectorySites and Services.

For more information about the network components associated with the physical structure ofActive Directory, see the “Active Directory Replication Topology Technical Reference.”

What Are Domains?

Domains are logical directory components that you create to manage the administrativerequirements of your organization. The logical structure is based on the administrativerequirements of an organization, such as the delegation of administrative authority, andoperational requirements, such as the need to control replication. In general, domains are used

to control where in the forest replication of domain data occurs and organizational units areused to further organize network objects into a logical hierarchy and delegate control toappropriate administrative support personnel.

A domain is a partition in an Active Directory forest. Partitioning data enables organizationsto replicate data only to where it is needed. In this way, the directory can scale globally over anetwork that has limited available bandwidth. Domains can also be defined as:

Containers within a forest

Units of Policy

Units of Replication

Authentication and Authorization Boundaries

Units of Trust

Each domain has a domain administrators group. Domain administrators have full controlover every object in the domain. These administrative rights are valid within the domain onlyand do not propagate to other domains.

Domains as Containers Within a Forest

Within the scope of a forest, a domain is a container. Objects in that container inherently trusteach other and the security services located in that same container. Each time you create anew domain container in a forest, a two-way, transitive trust relationship is automaticallycreated between the new domain and its parent domain. Trusts are logical relationshipsestablished between domains to allow pass-through authentication in which a trusting domainhonors the logon authentications of a trusted domain. Because all domain containers within aforest are joined together by two-way transitive trusts, objects within one domain containeralso inherently trust all other objects and security services located in every domain containerlocated in that forest.

https://technet.microsoft.com/en-us/library/cc755326%28v=ws.10%29.aspx






6

Domain containers are used to store and manage Active Directory objects, some of whichhave a physical representation. All of the objects within the domain container are stored in acentral database that stores only objects created within that domain. Some objects represent

people or groups of people, while others represent computers or network servers. Examples ofActive Directory objects that have a physical representation are user, computer, and groupobjects.

While domains contain objects that represent physical things, they also contain objects that

are used to help self-regulate domain operations such as trusted domain objects (TDOs) andsite link objects. Domain containers can also hold subordinate containers such asorganizational units. The following figure shows where objects are stored within the logicalstructure of a domain.

Domain Containment Structure Within a Forest

Organizational Units and Objects

Organizational units are used to group objects, including accounts and resources in a domain,for administrative purposes, such as the application of Group Policy or delegation ofauthority. Control over an organizational unit, including the objects within it, is determined bythe access control lists (ACLs) on the organizational unit and on the objects in theorganizational unit.

Organizational Units

The organizational unit is a particularly useful type of directory object contained withindomains. Each organizational unit is an Active Directory container within a domain intowhich users, groups, computers, and other organizational units of the domain can be placed.An organizational unit cannot contain objects from other domains.

An organizational unit is the smallest scope or unit to which Group Policy settings can beassigned or to which administrative authority can be delegated. A hierarchy of organizationalunits can be extended as necessary to model the hierarchy of an organization within a domain.The administrative model of the organizational unit can be scaled to any size. For moreinformation about Group Policy, see “How Core Group Policy Works.”







7

Administrative authority can be delegated for individual organizational units or for multipleorganizational units. Organizational units can be nested to create a hierarchy within a domainand form logical administrative units for users, groups, and resource objects, such as printers,computers, applications, and file shares. The organizational unit hierarchy within a domain isindependent of the structure of other domains: Each domain can implement its own hierarchy.Likewise, domains that are managed by the central authority can implement similarorganizational unit hierarchies. The structure is flexible, which allows organizations to createan environment that mirrors the administrative model, whether it is centralized or

decentralized.

Objects

Active Directory objects represent the physical entities that make up a network. An objectstores an instance of a class. A class is defined in the Active Directory schema as a specificset of mandatory and optional attributes — that is, an attribute can be present in an object inActive Directory only when that attribute is permitted by the object’s class. Classes alsocontain rules that determine which classes of objects can be superior to (parents of) a

particular object of the class. Each attribute is also defined in the directory schema. Theattribute definitions determine the syntax for the values the attribute can have.

Creation of an Active Directory object requires specification of values for the attributes of theobject in its particular class, consistent with the rules of the directory schema. For example,creating a user object requires specification of alphanumeric values for the user’s first and last

names and the logon identifier, which are mandatory according to the directory schema. Othernon-mandatory values can also be specified, such as telephone number and address.

Applications that create or modify objects in Active Directory use the directory schema todetermine what attributes the object must and might have, and what those attributes can looklike in terms of data structures and syntax constraints. The directory schema is maintained

forest-wide so that all objects created in the directory conform to the same values.

Objects are either container objects or leaf objects. A container object stores other objects,and as such occupies a specific level in a subtree hierarchy. An object class is a container if atleast one other class specifies it as a possible superior, so any object class defined in theschema can become a container. A leaf object does not store other objects, so it occupies theendpoint of a subtree. For more information about Active Directory Objects, see “HowDomains and Forests Work ” and “How the Active Directory Schema Works.”

Domains as Units of Policy

A domain defines a scope or unit of policy within a forest. Some policy settings apply only tothe scope of a domain, that is, the policy settings are domain-wide. Account policies, forexample, apply uniformly to all user accounts in the domain. Although a domain is not thesmallest unit of policy that can be assigned (policies can be assigned to organizational units) itis the most commonly used unit when splitting administrative duties between departments andsubsidiaries located in different geographical locations. As shown in the following figure, youmight need to create multiple domains to provide for policy variance among domainsthroughout a forest. A domain is also considered a unit of access control, in that it can be usedfor business groups requiring general autonomy.

Delegation of Domains to Domain Admins that Require Different Policies or Autonomy










8

You cannot define different account policies for different organizational units in the samedomain. Policy settings are stored as Group Policy objects (GPOs) in Active Directory. AGPO establishes how domain resources can be accessed, configured, and used. The policiesassociated with a GPO are applied only within the domain and not across domains. A GPOcan be associated with one or more Active Directory containers, such as a site, domain, ororganizational unit.

Account policies and Public Key policies have domain-wide scope and are set at the domainGPO level. All other policies can be specified at the level of the organizational unit. Some

policies that can be applied only at the domain container level include:

Password policy. Determines the rules, such as password length, that must be metwhen a user sets a password.

Account lockout policy. Defines rules for intruder detection and account deactivation.

Kerberosticket policy. Determines the lifetime of a Kerberos ticket. A Kerberos ticketis obtained during the logon process and is used for network authentication. A

particular ticket is only valid for the lifetime specified in the policy.



9

Because organizational units provide multiple levels of administrative authority, you can usethem to systematically apply Group Policy settings and delegate administrative control.Delegation simplifies the task of managing these objects and enables you to structure ActiveDirectory to fit the requirements of your organization. Using delegated authority inconjunction with GPOs and group memberships allows one or more administrators to beassigned rights and permissions to manage objects in an entire domain or in one or moreorganizational units within the domain.

For more information about Group Policy, see “How Core Group Policy Works.”

Domains as Units of Replication

The physical significance of a domain is that it is a unit of replication. In fact, with theexception of application partitions, which replicate only non-security principal objects, thedomain is the smallest unit of replication that can be administered within an Active Directoryforest. This is because all objects that are located within a domain container, also referred toas domain data, are replicated to other domain controllers within that same domain, regardlessof whether those domain controllers are located over a local area network (LAN) or wide area

network (WAN) connection.

As shown in the following figure, Active Directory multi-master replication manages thetransfer of domain objects to the appropriate domain controllers automatically, keepingdomain data up-to-date among all domain controllers in the domain, regardless of location.

Replication of Domain Data Within Each Domain in the Forest






10

All domain controllers in the forest are also updated with changes to forest-wide data. Formore information about replication at the Forest level, see “Forests as Units of Replication”

later in this section Domain-wide replication relies on three components of the ActiveDirectory physical structure to be in place for optimal performance, these include:

Domain Controllers

The physical domain controller contains the domain partition data that is replicated to other

domain controllers in that same domain. A domain partition stores only the information aboutobjects located in that domain. All domain controllers in a domain receive changes andreplicate those changes to the domain partition stored on all other domain controllers in thedomain. In this way, all domain controllers are peers in the domain and manage replication asa unit.

Domain controllers also have two non-domain directory partitions that store forest-wide data,which includes the directory schema and configuration data. Optionally, domain controllers,application partitions can be configured to be located on designated domain controllersanywhere in a forest. Unlike the schema and configuration partitions, application partitionsare not located on every domain controller in a forest. For more information about the

replication of forest-wide data, see “Forests as Units of Replication” later in this section.



11

Partitioning Active Directory data into three physical partitions on each domain controllerhelps to control replication so that data is replicated only to where it is needed. In this way,Active Directory can scale globally over a network that has limited available bandwidth.

Sites

Within the scope of a forest, sites are a representation of the physical network topology. Thisincludes physical subnet and site definitions. Replication of updates to domain data occurs

between multiple domain controllers to keep replicas synchronized. Multiple domains arecommon in large organizations, as are multiple sites in disparate locations. In addition,domain controllers for the same domain are commonly placed in more than one site.

Therefore, replication must often occur both within sites and between sites to keep domainand forest data consistent among domain controllers that store the same directory partitions.Replication within sites generally occurs at typical LAN speeds between domain controllersthat are on the same network segment. Replication between sites usually occurs over WANlinks that might be costly in terms of bandwidth. To accommodate the differences in distanceand cost of replication within a site and between sites, the intrasite replication topology is

used to optimize speed, and the intersite replication topology is used to minimize cost basedon a configurable replication schedule.

The Knowledge Consistency Checker (KCC) is a distributed application that runs on everydomain controller and is responsible for creating the connections between domain controllersthat collectively form the replication topology. The KCC uses Active Directory data todetermine where to create connections between source domain controllers and destinationdomain controllers.

Intersite replication is optimized for bandwidth efficiency, and directory updates betweensites occur automatically based on a configurable schedule.

Domain-Wide Operations Masters

Active Directory supports multi-master replication of the directory data store between alldomain controllers in the domain. However, some changes are impractical to perform inmulti-master fashion, so only a single domain controller, called the operations master, acceptsrequests for such changes. Because these roles can be transferred to other domain controllerswithin the domain or forest, they are sometimes referred to as operations master roles.

There are three operations master roles per domain. These include the Relative Identifier(RID) Master, Primary Domain Controller (PDC) emulator, and Infrastructure Master. These

three roles must be unique in each domain, so each domain can have only one RID master,one PDC emulator, and one Infrastructure Master. For information about forest-wide roles,see “Forest-Wide Operations Master Roles” later in this section. For more information about

replication, see “How Active Directory Replication Topology Works.”

Domains as Authentication and Authorization Boundaries

By default, a domain provides authentication and authorization services for all its accounts inorder to facilitate logons and single sign-on access control to shared resources within the

boundaries of the domain. The process of authentication ensures that users are who they claimto be. Once identified, the user can be authorized access to a specific set of network resources







12

based on permissions.Authorization takes place through the mechanism of access control,using access control lists (ACLs) that define permissions on file systems, network file and

print shares, and entries in Active Directory.

Authorization is determined not only by the identity of the user but also the membership ofthe user in one or more security groups. In fact, the preferred method of controlling domain-wide resources is to grant access to groups rather than to individuals, adjusting the level ofauthorization for a group according to the needs of its members. This method of controlling

access makes it easier to keep ACLs up-to-date on domains that have thousands of users andobjects. Group membership can be managed centrally by anyone with the appropriateadministrative credentials. You can change the level of authorization a particular user has tomany resources simply by adding or removing the user from a group. The following figureshows when authentication and authorization for a user in a given domain occur.

Authentication and Authorization of a User Within the Same Domain

Authentication is not limited to users. Computers and services are also authenticated whenthey make network connections to other servers. For example, domain joined computersconnect Active Directory in their domain for policy information during startup. Computersand services also prove their identity to clients that request mutual authentication. Mutualauthentication prevents an intruder from adding another computer as an imposter between theclient and the real network server. The Kerberos version 5 authentication protocol is atechnology for single sign-on to network resources. Kerberos V5 protocol is used to providesingle sign-on to network services within a domain, and to services residing in trusteddomains. The Kerberos V5 protocol verifies both the identity of the user and of the networkservices, providing mutual authentication.



13

Authentication and authorization services in one domain can be extended to accounts that arelocated in trusted domains. This can be done by using trusts. Trusts are logical relationshipsestablished between domains to allow pass-through authentication in which a trusting domainhonors the logon authentications of a trusted domain. Consequently, trust relationshipsinherently allow domain-specific authentication and authorization services to be extended,thereby enabling single sign-on access control capabilities throughout a forest. Because thedomain trust relationships between all domains in the forest are bidirectional by default,authentication in one domain is sufficient for referral or pass-through authentication to

resources in other domains in the forest.

Domains as Units of Trust

A domain is the smallest container within Active Directory that can be used in a trustrelationship. All domains within a forest are connected by Kerberos-based trusts. Kerberos-

based trusts are two-way and transitive in nature. Trusts act as authentication pipelines thatmust be present in order for users in one domain to access resources in another domain. Allauthentication requests made between domains located inside or outside of a forest must occurover trusts. Trust relationships within a forest are created as implicit two-way transitive trusts.

Note

“Access to resources” in any discussion of trust relationships always assumes thelimitations of access control.

Within a forest, trust relationships are automatically created between the forest root domainand any tree root domains on the one hand, and all child domains that are subordinate to theforest root domain on the other. Because trust relationships are two-way and transitive bydefault, users and computers can be authenticated between any domain containers in theforest, as shown in the following figure.

Domains as Units of Trust and the Authentication Paths they Provide



14

In accordance with DNS naming standards, Active Directory domains within a single forestare created in an inverted tree structure, with the forest root domain at the top. This treestructure requires that trusts exist between domains to facilitate security of communications.Adding a domain tree to a forest requires specification of the forest root domain, which resultsin the establishment of a trust relationship between the root domain of the new tree and theforest root domain. For more information about trusts and root domains, see “Forests as

Collections of Domain Containers that Trust Each Other” later in this section.

What Domains Are Not

Domains are not security boundaries within the scope of Active Directory and do not providecomplete isolation in the face of possible attacks by malicious service administrators whomight manage that forest. This is because a malicious service administrator, such as a memberof the Domain Admins group, can use nonstandard tools and procedures to gain full access toany domain in the forest or to any computer in the forest. For example, service administratorsin a non-root domain can make themselves members of the Enterprise Admins or SchemaAdmins group.

However, administrative rights do not flow across domain boundaries, nor do they flow downthrough a domain tree. For example, if you have a domain tree with domains A, B, and C,where A is the parent domain of B and B is the parent domain of C, users with administrative

rights in domain A do not have administrative rights in B, nor do users with administrative



15

rights in domain B have administrative rights in domain C. For a user to obtain administrativerights in a given domain, a higher authority must grant them. This does not mean, however,that an administrator cannot have administrative rights in multiple domains; it simply meansthat all rights must be explicitly defined.

For more information about isolation, see “Forests as Security Boundaries” later in this

section.

What Are Forests?

At its highest level, a forest is a single instance of Active Directory. Therefore, a forest issynonymous with Active Directory, meaning that the set of all directory partitions in a

particular Active Directory instance (which includes all domain, configuration, schema andoptional application information) makes up a forest. This means that when you have multipleforests in an enterprise they will, by default, act separately from each other as if they were theonly directory service in your organization.

This behavior, however, is easily be modified so that multiple forests can share Active

Directory responsibilities across an enterprise. This is done by creating external or forest trustrelationships between the forests. In this way, each forest can be connected with every otherforest to form a collaborative directory service solution for any enterprise with business needsthat include multiple forest collaboration.

Forests can also be defined as:

Collections of Domain Containers that Trust Each Other

Units of Replication

Security Boundaries

Units of Delegation

Forests as Collections of Domain Containers that Trust Each Other

Within the scope of Active Directory, a forest is a collection of domain containers thatinherently trust each other and other security services that are located in that same forest. Alldomain containers in a forest share a common global catalog, directory schema, and directoryconfiguration, as well as automatic two-way transitive trust relationships. Because all of thedomain containers are inherently joined through two-way transitive trusts, all authenticationrequests made from any domain in the forest to any other domain in the same forest will begranted. In this way, all security principals that are located in domain containers within aforest inherently trust each other.

Forests can be used to segregate domain containers into one or more unique DNS namespacehierarchies known as domain trees. Although each domain tree consists of a uniquenamespace the schema and configuration data for the forest are shared throughout all thedomain containers in a forest irrespective of namespace. Each domain container in a forestmust adhere to DNS naming schemes and all domains are organized in a root and subordinatedomain hierarchy. Root domains, such as forest root and tree root domains, define the DNS

namespace for their subordinate domains. Although a forest can consist of multiple domain



16

trees, it represents one organization. However, an organization can have multiple forests. Formore information about multiple forests, see “Forests as Units of Delegation” later in this

section. As shown in the following figure, the namespace for each root domain must beunique.

Domain Containers, Root Domains and DNS Namespaces Within a Forest

Forest Root Domain

Although trees in a forest do not share the same DNS namespace, a forest does have a singleroot domain, called the forest root domain. The forest root domain is, by definition, the firstdomain created in the forest. The Enterprise Admins and Schema Admins groups are locatedin this domain. By default, members of these two groups have forest-wide administrativecredentials. In Windows 2000 Active Directory, the forest root domain cannot be deleted,

changed, or renamed. In Windows Server 2003 and later versions of Active Directory, theforest root domain cannot be deleted, but it can be restructured or renamed.

Objects are located within Active Directory domains according to a hierarchical path, whichincludes the labels of the Active Directory domain name and each level of container objects.The full path to the object is defined by the distinguished name (also known as a DN). Thedistinguished name is unambiguous (identifies one object only) and unique (no other object inthe directory has this name). By using the full path to an object, including the object name andall parent objects to the root of the domain, the distinguished name uniquely andunambiguously identifies an object within a domain hierarchy.



17

The distinguished name of the forest root domain is used to locate the configuration andschema directory partitions in the namespace. The distinguished names for the Configurationand Schema containers in Active Directory always show these containers as child objects inthe forest root domain. For example, in the child domain Noam.wingtiptoys.com (whereWingtiptoys.com is the name of the forest root domain), the distinguished name of theConfiguration container is cn=configuration,dc=wingtiptoys,dc=com. The distinguished nameof the Schema container is cn=schema,cn=configuration,dc=wingtiptoys,dc=com. However,this naming convention provides only a logical location for these containers.

These containers do not exist as child objects of the forest root domain, nor is the schemadirectory partition actually a part of the configuration directory partition: They are separatedirectory partitions. Every domain controller in a forest stores a copy of the configuration andschema directory partitions, and every copy of these partitions has the same distinguishedname on every domain controller.

Tree Root Domain

A domain tree represents a unique DNS namespace: it has a single root domain, known as thetree root domain, and is built as a strict hierarchy: Each domain above the tree root domainhas exactly one superior, or parent, domain (the forest root domain). The namespace created

by this hierarchy, therefore, is contiguous — each level of the hierarchy is directly related tothe level above it and to the level below it. In other words, the names of domains created

beneath the tree root domain (child domains) are always contiguous with the name of the treeroot domain. The DNS names of the child domains of the root domain of a tree reflect thisorganization; therefore, the children of a root domain called Somedomain are always childrenof that domain in the DNS namespace (for example, Child1.somedomain,Child2.somedomain, and so forth).

Multiple domain trees can belong to a single forest and do not form a contiguous namespace;

that is, they have noncontiguous DNS domain names. Although the roots of the separate treeshave names that are not contiguous with each other, the trees share a single overall namespace because names of objects can still be resolved by the same Active Directory instance. A forestexists as a set of cross-reference objects and trust relationships that are known to the membertrees. Transitive trusts at the root domain of each namespace provide mutual access toresources.

The domain hierarchy in a forest determines the transitive trust links that connect eachdomain. Each domain has a direct trust link with its parent and each of its children. If thereare multiple trees in a forest, the forest root domain is at the top of the trust tree and, from atrust perspective, all other tree roots are children. That means authentication traffic between

any two domains in different trees must pass through the forest root.

Forests as Units of Replication

Unlike domains, forests are the largest unit of replication that can be administered in anActive Directory environment. To efficiently synchronize data between domain controllersthroughout a forest, Active Directory replication transfers updates according to directory

partition. Directory partitions are used to help organize how replication occurs within a forest.Active Directory uses four distinct directory partition types to store and copy four differenttypes of data.



18

One directory partition contains domain data; the other three are forest-wide partitions, andcontain configuration, schema, and application data. This storage and replication design

provides directory information to users and administrators throughout the domain. Eachdomain controller receives directory updates to the data stored in its domain only, as well asupdates to the data in the two directory partitions that store configuration and schema data forthe forest. As shown in the following figure, schema and configuration data must bereplicated to all domain controllers that exist in a forest, while optional Application data isreplicated only to domain controllers within the same forest that are specified as replication

partners.

Forest-Wide Replication Scope

The following table describes each of the three forest-wide partitions in more detail.

Forest-Wide Directory Partitions



19

Partition Description

Schema

The schema partition contains the forest-wide schema. Each forest has oneschema so that the definition of each object class is consistent. The schema isthe formal definition of all object and attribute data that can be stored in thedirectory. Active Directory domain controllers include a default schema that

defines many object types, such as user and computer accounts, groups,domains, organization units, and security policies. Administrators and

programmers can extend the schema by defining new object types andattributes or by adding new attributes for existing objects. Schema objects are

protected by access control lists, ensuring that only authorized users can alterthe schema. The schema partition is replicated to each domain controller in theforest.

Configuration

The configuration partition describes the topology of the forest as well as otherforest, domain and domain controller settings. This configuration data includesa list of all domains, trees, and forests and the locations of the domaincontrollers and global catalogs. The configuration partition is replicated to each

domain controller in the forest.

Application

Applications and services can use application directory partitions to storeapplication-specific data. Data stored in the application directory partition isintended to satisfy cases where information needs to be replicated but notnecessarily on a global scale. Application directory partitions can contain anytype of object, except security principals. Application directory partitions areusually created by the applications that will use them to store and replicatedata. One of the benefits of an application directory partition is that, forredundancy, availability, or fault tolerance, the data in it can be replicated todifferent domain controllers in a forest. The data can be replicated to a specific

domain controller or any set of domain controllers anywhere in the forest. Thisdiffers from a domain directory partition in which data is replicated to alldomain controllers in that domain.

Only domain controllers running Windows Server 2003 or higher can host areplica of an application directory partition. Application directory partitions arecreated, configured, and managed by the administrator.

All forest replication is Multi-Master with the exception of the three domain-wide and twoforest-wide operations master roles. Forest-wide replication requires domain controllers andthree other components of the Active Directory physical structure to be in place for optimal

performance. These components are forest-wide operations master roles, sites, and globalcatalogs.

Forest-Wide Operations Master Roles

There are two operations master roles assigned for the entire forest. These include the domainnaming master and the schema master. Each forest must have one and only one schemamaster and one domain naming master, so these two roles must remain in the forest rootdomain. The other three operations master roles are assigned to each domain in the forest.These three roles must be unique in each domain, so each domain can have only one relativeID master, one PDC emulator, and one infrastructure master.



20

In an Active Directory forest with only one domain and one domain controller, that domaincontroller has all the operations master roles. For more information about operations masterroles, see “How Operations Masters Work .”

Sites

Sites in Active Directory represent the physical structure, or topology, of the network. Withinthe scope of a forest, sites are a representation of the physical network topology, including

physical subnet and site definitions. When you establish sites, domain controllers within asingle site communicate frequently. This communication minimizes the latency within thesite; that is, the time required for a change that is made on one domain controller to bereplicated to other domain controllers. You create sites to optimize use of the bandwidth

between domain controllers in different locations. For more information about sites, see “HowActive Directory Replication Topology Works.”

Global Catalogs

The global catalog stores a full copy of all Active Directory objects in the directory for itshost domain and a partial copy of all objects for all other domains in the forest. Users in a

forest do not need to be aware of directory structure because all users see a single directorythrough the global catalog. Applications and clients can query the global catalog to locate anyobject in a forest. The global catalog is hosted on one or more domain controllers in the forest.It contains a partial replica of every domain directory partition in the forest. These partialreplicas include replicas of every object in the forest, including the attributes most frequentlyused in search operations and the attributes required to locate a full replica of the object. Aglobal catalog is created automatically on the first domain controller in the forest. Optionally,other domain controllers can be configured to serve as global catalogs.

A global catalog serves the following roles:

Enables user searches for directory information about objects throughout all domainsin the forest

Resolves user principal names (UPNs) during authentication, when the authenticatingdomain controller does not have information about the account

Supplies universal group membership information in a multiple domain environment

Validates references to objects in other domains in the forest

For more information about global catalogs and their roles, see “How the Global CatalogWorks.”

Forests as Security Boundaries

Each forest is a single instance of the directory, the top-level Active Directory container, anda security boundary for all objects that are located in the forest. This security boundarydefines the scope of authority of the administrators. In general, a security boundary is defined

by the top-level container for which no administrator external to the container can take controlaway from administrators within the container. As shown in the following figure, noadministrators from outside a forest can control access to information inside the forest unless

first given permission to do so by the administrators within the forest.







https://technet.microsoft.com/en-us/library/how-global-catalog-servers-work%28v=ws.10%29.aspx











21

Enterprise Administrators Outside of a Forest Can Administer Only Within Their Own

Forest

A forest is the only component of the Active Directory logical structure that is a security boundary. By contrast, a domain is not a security boundary because it is not possible foradministrators from one domain to prevent a malicious administrator from another domainwithin the forest from accessing data in their domain. A domain is, however, theadministrative boundary for managing objects, such as users, groups, and computers. Inaddition, each domain has its own individual security policies and trust relationships withother domains.

Forests as Units of Delegation

The forest is the largest management unit of Active Directory as well as the ultimate unit ofautonomy and isolation of authority. Members of the Enterprise Admins and forest rootDomain Admins security groups are known as enterprise administrators. Enterpriseadministrators control the Active Directory objects in the configuration container that do not

belong to any one domain, including Enterprise Certification Authority objects and otherconfiguration data that affects all domains in the forest.

Because enterprise administrators have authority over all domains in the forest, the domainadministrators in each domain must trust the enterprise administrators. You cannot trulyrestrict enterprise administrators from managing objects in any domain in the forest.Enterprise administrators can always regain control over objects. Some organizations with

political challenges, such as those frequently encountered in mergers and acquisitions, mightfind the scope of this enterprise authority too great and require more than one forest. If yourorganization requires strict isolation of authority between domains, you must deploy multipleforests with manually created trusts between domains in the different forests.

Because each forest is administered separately, adding additional forests to your organizationincreases the management overhead of the organization. The number of forests that you needto deploy is based on the autonomy and isolation requirements of each group within yourorganization. Reasons to create multiple forests in your organization include:



22

To secure data within each forest. Sensitive data can be protected so that only userswithin that forest can access it.

To isolate directory replication within each forest. Schema changes, configurationchanges, and the addition of new domains to a forest have forest-wide impact onlywithin that forest, not on a trusting forest.

Because the forest is a security boundary, each forest does not trust or allow access from any

other forest by default. However, in Windows Server 2003 and higher Active Directory,transitive trust relationships can be manually established between forests to establish cross-forest access to resources, so that users in one forest can access resources in another forest.

Forest trusts help you to manage a segmented Active Directory infrastructure within yourorganization by providing support for accessing resources and other objects across multipleforests. By using forest trusts, you can link two different Windows Server 2003 or higherforests to form a one-way or two-way transitive trust relationship. A forest trust allowsadministrators to federate two Active Directory forests with a single trust relationship to

provide a seamless authentication and authorization experience across the forests.

When two forests are connected by a forest trust, authentication requests made using theKerberos V5 or NTLM protocols can be routed between forests to provide access to resourcesin both forests. Trust security settings and firewalls can be configured between domains indifferent forests that are joined by trust relationships to limit cross-forest connectivity tospecific users or applications. For more information about trust security settings, see “SecurityConsiderations for Trusts.”

A forest trust can be created only between a forest root domain in one Windows Server 2003or higher forest and a forest root domain in another Windows Server 2003 or higher forest.Forest trusts can be created between two forests only and cannot be implicitly extended to a

third forest. This means that if a forest trust is created between Forest 1 and Forest 2, andanother forest trust is created between Forest 2 and Forest 3, Forest 1 does not have animplicit trust with Forest 3. The following figure shows two separate forest trust relationships

between three forests in a single organization.

Two Forest Trusts Between Three Windows Server 2003 Forests









23

How Domains and Forests Work

Updated: November 19, 2014

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 withSP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2,

Windows Server 2012, Windows Server 2012 R2

How Domains and Forests Work

In this section

Domain and Forest Structure

Active Directory Objects

Domain and Forest Protocols and Programming Interfaces

Domain and Forest Processes and Interactions

Network Ports Used by Domains and Forests

Related Information

Active Directory stores data for an entire forest. A forest is a distributed database, which ismade up of directory partitions spread across multiple computers. A domain is one partition ofthe database; each domain contains Active Directory objects, such as security principalobjects (users, computers, and groups) to which you can grant or deny access to network

resources. All domain data stored in the domain directory partition is replicated to domaincontrollers in that domain only.

Note

In Windows 2000 Server and Windows Server 2003, the directory service is named ActiveDirectory. In Windows Server 2008 and Windows Server 2008 R2, the directory service isnamed Active Directory Domain Services (AD DS). The rest of this topic refers to ActiveDirectory, but the information is also applicable to Active Directory Domain Services.

The directory partitions that store configuration and schema information are replicated to

domain controllers in all domains. In this way, Active Directory provides a data repositorythat is logically centralized but physically distributed. Because all domain controllers storeforest-wide configuration and schema information, a domain controller in one domain canreference a domain controller in any other domain if the information that it is requesting is notstored locally.

This section details how domains and forests work, discusses the various components ofdomains and forests, describes several common processes that depend on domains and forests,and lists the network ports related to domains and forests.

Domain and Forest Structure

https://technet.microsoft.com/en-us/library/cc783351%28v=ws.10%29.aspx#w2k3tr_logic_how_zlqt


https://technet.microsoft.com/en-us/library/cc783351%28v=ws.10%29.aspx#w2k3tr_logic_how_dsaj


https://technet.microsoft.com/en-us/library/cc783351%28v=ws.10%29.aspx#w2k3tr_logic_how_ctmn


https://technet.microsoft.com/en-us/library/cc783351%28v=ws.10%29.aspx#w2k3tr_logic_how_fsoj


https://technet.microsoft.com/en-us/library/cc783351%28v=ws.10%29.aspx#w2k3tr_logic_how_rqma


https://technet.microsoft.com/en-us/library/cc783351%28v=ws.10%29.aspx#w2k3tr_logic_how_sthf










24

A forest consists of a hierarchical structure of domain containers that are used to categoricallystore information about objects on the network. Domain containers are considered the corefunctional units in the forest structure. This is because each domain container in a forest isused primarily to store and manage Active Directory objects, most of which have a physicalrepresentation (such as people, printers, or computers). Forests also provide the structure bywhich domain containers can be segregated into one or more unique Domain Name System(DNS) namespace hierarchies known as domain trees.

In addition, the domain tree hierarchy is based on trust relationships — that is, the domaincontainers are linked by intra-forest trust relationships. When it is necessary for domaincontainers in the same organization to have different namespaces, you can create a separatetree for each namespace. In Active Directory, the roots of trees are linked automatically bytwo-way, transitive trust relationships. Trees linked by trust relationships form a forest. Asingle tree that is related to no other trees constitutes a forest of one tree. The domain andforest structure is made up of the following components:

Cross-References

Trust Relationships

Forest Root

Domain Trees and Child Domains

Domain Names

For more information about Active Directory Domains and DNS, see “How DNS Support forActive Directory Works.”

This section describes the structure and function of these components, and describes how this

structure helps administrators manage the network so that users can accomplish businessobjectives.

Cross-References

Cross-references enable every domain controller to be aware not only of the partitions that itholds, but of all directory partitions in the forest. The information contained within cross-references form the glue that holds the pieces of the domain and forest structure together.Because Active Directory is logically partitioned, and directory partitions are the discretecomponents of the directory that replicate between domain controllers, either all objects in a

directory partition are present on a particular domain controller or no objects in the directory partition are present on the domain controller. For this reason, cross references have the effectof linking the partitions together, which allows operations such as searches to span multiple

partitions.

Cross-references are stored as directory objects of the class crossRef that identify theexistence and location of all directory partitions, irrespective of location in the directory tree.In addition, these objects contain information that Active Directory uses to construct thedirectory tree hierarchy. Values for the following attributes are required for each cross-reference:








25

nCName . The distinguished name of the directory partition that the crossRef objectreferences. (The prefix nC stands for naming context, which is a synonym fordirectory partition.) The combination of all of the nCName properties in the forestdefines the entire directory tree, including the subordinate and superior relationships

between partitions.

dNSRoot. The DNS name of the domain where servers that store the particulardirectory partition can be reached. This value can also be a DNS host name.

How Cross-Reference Information is Propagated Throughout the Domain and Forest

Structure

For every directory partition in a forest, there is an internal cross-reference object stored in thePartitions container (cn=Partitions,cn=Configuration,dc= ForestRootDomain). Because cross-reference objects are located in the Configuration container, they are replicated to everydomain controller in the forest, and thus every domain controller has information about thename of every partition in the forest. By virtue of this knowledge, any domain controller cangenerate referrals to any other domain in the forest, as well as to the schema and configurationdirectory partitions.

When you create a new forest, the Active Directory Installation Wizard creates three directory partitions: the first domain directory partition, the configuration directory partition, and theschema directory partition. For each of these partitions, a cross-reference object is createdautomatically. Thereafter, when a new domain is created in the forest, another directory

partition is created and the respective cross-reference object is created. When theconfiguration directory partition is replicated to the new domain controller, a cross-referenceobject is created on the domain naming master and is then replicated throughout the forest.

Note

The state of cross-reference information at any specific time is subject to the effects ofreplication latency.

For more information about cross-reference objects, see “How Active Directory SearchesWork .” Cross-reference objects can also be used to generate referrals to other directory

partitions located in another forest through external cross-references.

External Cross-References

An external cross-reference is a cross-reference object that can be created manually to provide

the location of an object that is not stored in the forest. If your Lightweight Directory AccessProtocol (LDAP) clients submit operations for an external portion of the global LDAPnamespace against servers in your forest, and you want servers in your forest to refer theclient to the correct location, you can create a cross-reference object for that directory in thePartitions container. There are two ways that external cross-references are used:

To reference external directories by their disjoint directory name (a name that is notcontiguous with the name of this directory tree). In this case, when you create thecross-reference, you create a reference to a location that is not a child of any object inthis directory.








26

To reference external directories by a name that is within the Active Directorynamespace (a name that is contiguous with the name of this directory tree). In thiscase, when you create the cross-reference, you create a referenceto a location that is achild of a real object in this directory.

Because the domain component (dc=) portion of the distinguished names of all ActiveDirectory domains matches their DNS addresses, and because DNS is the worldwidenamespace, all domain controllers can generate external referrals to each other automatically.

Trust Relationships

Active Directory provides security across multiple domains through intra-forest trustrelationships. When there are trust relationships between domains in the same forest, theauthentication mechanism for each domain trusts the authentication mechanism for all othertrusted domains. If a user or application is authenticated by one domain, its authentication isaccepted by all other domains that trust the authenticating domain. Users in a trusted domainhave access to resources in the trusting domain, subject to the access controls that are appliedin the trusting domain.

Note

Default intra-forest trust relationships are created at the time the domains are created.The number of trust relationships required to connect n domains is n – 1, whether thedomains are linked in a single, contiguous parent-child hierarchy or constitute two ormore separate contiguous parent-child hierarchies.

A trust relationship is a relationship established between two domains that allows users in onedomain to be recognized by a domain controller in the other domain. Trusts let users accessresources in the other domain, and also let administrators manage user rights for users in the

other domain. Account authentication between domains is enabled by two-way, transitivetrust relationships. All domain trusts in an Active Directory forest are two-way and transitiveand are have the following attributes:

Two-way. When you create a new child domain, the child domain automatically truststhe parent domain, and vice versa. At the practical level, this means that authenticationrequests can be passed between the two domains in both directions.

Transitive. A transitive trust reaches beyond the two domains in the initial trustrelationship. For example, if Domain A and Domain B (parent and child) trust eachother, and if Domain B and Domain C (also parent and child) trust each other, Domain

A and Domain C also trust each other (implicitly), even though no direct trustrelationship between them exists.

At the level of the forest, a trust relationship is created automatically between the forest rootdomain and the root domain of each domain tree added to the forest, with the result thatcomplete trust exists between all domains in an Active Directory forest. At the practical level,

because trust relationships are transitive, a single logon process lets the system authenticate auser (or computer) in any domain in the forest. As shown in the following figure, this singlelogon process lets the account access resources on any domain in the forest.

Transitive Trusts Facilitate Cross-Domain Access to Resources With a Single Logon



27

Note

Single logons enabled by trusts do not necessarily imply that the authenticated userhas rights and permissions in all domains in the forest. This is because in anydiscussion of trust relationships, access to resources always assumes the limitations ofaccess control.

Forest Root Domain

The first domain created in the forest is called the forest root domain. When you create a newtree, you specify the root domain of the initial tree, and a trust relationship is established

between the root domain of the second tree and the forest root domain. If you create a thirdtree, a trust relationship is established between the root domain of the third tree and the forestroot domain. Because all trust relationships created within a forest are transitive and two-way,the root domain of the third tree also has a two-way trust relationship with the root domain ofthe second tree. In Windows 2000 Active Directory, the forest root domain cannot be deleted,changed, or renamed. In Windows Server 2003 Active Directory or higher, the forest rootdomain cannot be deleted, but it can be restructured or renamed.

The distinguished name of the forest root domain is used to locate the configuration andschema directory partitions in the namespace. The distinguished names for the configurationand schema containers in Active Directory always show these containers as child objects in

the forest root domain. For example, in the child domain Noam.wingtiptoys.com, the



28

distinguished name of the Configuration container iscn=configuration,dc=wingtiptoys,dc=com. The distinguished name of the Schema container iscn=schema,cn=configuration,dc=wingtiptoys,dc=com. However, this naming convention

provides only a logical location for these containers.

The containers do not exist as child objects of the forest root domain, nor is the schemadirectory partition actually a part of the configuration directory partition. They are separatedirectory partitions. Every domain controller in a forest stores a copy of the configuration and

schema directory partitions, and every copy of these partitions has the same distinguishedname on every domain controller. The following operations occur when you create the forestroot domain:

The Schema container and the Configuration container are created.

The Active Directory Installation Wizard assigns the PDC emulator, RID master,domain naming master, schema master, and infrastructure master roles to the domaincontroller.

The Enterprise Admins and Schema Admins groups are located in this domain. By default,members of these two groups have forest-wide administrative credentials.

Domain Trees and Child Domains

A forest is a collection of one or more domain trees, organized as peers and connected bytwo-way, transitive trust relationships. A single domain constitutes a tree of one domain, anda single tree constitutes a forest of one tree. Thus, a forest is synonymous with ActiveDirectory — that is, the set of all directory partitions in a particular directory service instance(which includes all domains and all configuration and schema information) makes up a forest.

Trees in the same forest do not form a contiguous namespace. They form a noncontiguousnamespace that is based on different DNS root domain names. However, trees in a forestshare a common directory schema, configuration, and global catalog. (The global catalog is adomain controller that stores all objects of all domains in an Active Directory forest, whichmakes it possible to search for objects at the forest level rather than at the tree level.) Thissharing of common schema and configuration data, in addition to trust relationships betweentheir roots, distinguishes a forest from a set of unrelated trees. Although the roots of theseparate trees have names that are not contiguous with each other, the trees share a singleoverall namespace because names of objects can still be resolved by the same ActiveDirectory instance.

Note

The directory schema and configuration data are shared because they are stored inseparate logical directory partitions that are replicated to domain controllers in everydomain in the forest. The data about a particular domain is replicated only to domaincontrollers in the same domain.

Domain Trees

A domain tree is a DNS namespace: it has a single root domain and is built as a stricthierarchy; each domain below the root domain has exactly one superior, or parent, domain.The namespace created by this hierarchy, therefore, is contiguous — each level of the



29

hierarchy is directly related to the level above it and to the level below it, if any. In ActiveDirectory, the following rules determine the way that trees function in the namespace:

A tree has exactly one name. The name of the tree is the DNS name of the domain atthe root of the tree.

The names of domains created beneath the root domain (child domains) are alwayscontiguous with the name of the tree root domain.

The DNS names of the child domains of the tree root domain reflect this organization;therefore, the children of a tree root domain called Somedomain are always children ofthat domain in the DNS namespace (for example, Child1.somedomain,Child2.somedomain, and so forth).

Note

Tree and forest hierarchies are specific to Active Directory domains. AWindows NT 4.0 domain that is configured to trust or to be trusted by a ActiveDirectory domain is not part of the forest to which the Active Directory domain

belongs.

The forest structure provides organizations with the option of constructing their enterprisefrom separate, distinct, noncontiguous namespaces. Having a separate namespace is desirableunder conditions where, for example, the namespace of an acquired company should remainintact. If you have business units with distinct DNS names, you can create additional trees toaccommodate the names.

Note

Before creating a new domain tree when you want a different DNS namespace,consider creating another forest. Multiple forests provide administrative autonomy,isolation of the schema and configuration directory partitions, separate security

boundaries, and the flexibility to use an independent namespace design for each forest.

When you create a new domain tree, you specify the root domain of the initial tree, and a trustrelationship is established between the root domain of the new tree (the second tree) and theforest root domain. If you create a third tree, a trust relationship is established between theroot domain of the third tree and the forest root domain. Because a trust relationship istransitive and two-way, the root domain of the third tree also has a two-way trust relationshipwith the root domain of the second tree. The following operations occur when you create a

new tree root domain in an existing forest:

Location of a source domain controller in the forest root domain and synchronizationof domain system time with the system time of the source domain controller.

Creation of a tree-root trust relationship between the tree root domain and the forestroot domain, and creation of the trusted domain object (TDO) in both domains. Thetree-root trust relationship is two-way and transitive.

Child Domains



30

Child domains can represent geographical entities (for example, the United States andEurope), administrative entities within the organization (for example, sales and marketingdepartments), or other organization-specific boundaries, according to the needs of theorganization. Domains are created below the root domain to minimize Active Directoryreplication and to provide a means for creating domain names that do not change. Changes inthe overall domain architecture, such as domain collapses and domain re-creation, createdifficult and potentially IT-intensive support requirements. A good namespace design should

be capable of withstanding reorganizations without the need to restructure the existing domain

hierarchy.

Each time you create a new child domain, a two-way transitive trust relationship (known asthe parent-child trust) is automatically created between the parent and new child domain. Inthis way, transitive trust relationships flow upward through the domain tree as it is formed,creating transitive trusts between all domains in the domain tree. The parent-child relationshipis a naming and trust relationship only. Administrators in a parent domain are notautomatically administrators of a child domain. Likewise, policies set in a parent domain donot automatically apply to child domains.

The following operations occur when you create a child domain in an existing tree:

Verification of the name that you provide as a valid child domain name.

Location of a source domain controller in the parent domain and synchronization ofthe system time of the child domain with the system time of the source domaincontroller.

Creation of parent-child TDOs in the System folder on both the parent domain and thechild domain. The TDO objects identify two-way transitive trust relationships betweenthe child domain and the parent domain.

Replication of the Active Directory Schema container and the Configuration containerfrom a domain controller in the parent domain.

Domain Names

Active Directory uses DNS naming standards for hierarchical naming of Active Directorydomains and computers. For this reason, domain and computer objects are part of both theDNS domain hierarchy and the Active Directory domain hierarchy. Although these domainhierarchies have identical names, they represent separate namespaces.

The domain hierarchy defines a namespace. A namespace is any bounded area in whichstandardized names can be used to symbolically represent some type of information (such asan object in a directory or an Internet Protocol [IP] address) and that can be resolved to theobject itself. In each namespace, specific rules determine how names can be created and used.Some namespaces, such as the DNS namespace and the Active Directory namespace, arehierarchically structured and provide rules that allow the namespace to be partitioned. Othernamespaces, such as the Network Basic Input/Output System (NetBIOS) namespace, are flat(unstructured) and cannot be partitioned.

The main function of DNS is to map user-readable computer names to computer-readable IPaddresses. Thus, DNS defines a namespace for computer names that can be resolved to IP

addresses, or vice versa. In Windows NT 4.0 and earlier, DNS names were not required;



31

domains and computers used NetBIOS names, which were mapped to IP addresses by usingthe Windows Internet Name Service (WINS). Although DNS names are required for ActiveDirectory domains and Windows 2000 – , Windows XP – , and Windows Server 2003 – basedcomputers, NetBIOS names also are supported in Windows Server 2003 for interoperabilitywith Windows NT 4.0 domains and with clients that are running Windows NT 4.0 or earlier,Windows for Workgroups, Windows 98, or Windows 95. There is no interoperability betweenWindows Server 2008 and higher domains and Windows NT 4.0 domains.

Note

WINS and NetBIOS are not required in an environment where computers run onlyWindows 2000, Windows XP, Windows Server 2003, Windows Vista, WindowsServer 2008, Windows 7 or Windows Server 2008 R2, but WINS is required forinteroperability between Windows 2000 Server – and Windows Server 2003 – baseddomain controllers, computers that are running earlier versions of Windows, andapplications that depend on the NetBIOS namespace — for example, applications thatcall NetServerEnum and other so-called Net* application programming interfaces(APIs) that depend on NetBIOS. There is no interoperability between Windows Server

2008 based domains and Windows NT 4.0 domains.

Active Directory domains have both DNS names and NetBIOS names. In general, both namesare visible to end users. The DNS names of Active Directory domains include two parts, a

prefix and a suffix. The DNS prefix is the first label in the DNS name of the domain. Thesuffix is the name of the Active Directory forest root domain. For example, the first label ofthe DNS name for the Child1.wingtiptoys.com domain is Child1 and is referred to as the DNS

prefix. The name of the forest root domain in that same forest is wingtiptoys.com and isreferred to as the DNS suffix.

Active Directory Domain Names and the Internet

Active Directory domain names can exist within the scope of the global Internet DNSnamespace. When an Internet presence is required by an individual or organization, the ActiveDirectory namespace is maintained as one or more hierarchical Windows 2000 domains

beneath a root domain that is registered as a DNS namespace. Registration of individual andorganizational root domain DNS names ensures the global uniqueness of all DNS names and

provides for the assignment of network addresses that are recorded in the global DNSdatabase. Registration of the DNS name for the root domain of the individual or organizationalso grants that individual or organization the authority to manage its own hierarchy of childdomains, zones, and hosts within the root domain.

Note

An organization might or might not choose to be part of the global Internet DNSnamespace. However, even if the root domain of the organization is not registered asan Internet DNS namespace, the DNS service is required to locate Windows 2000 – ,Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008,Windows 7 and Windows Server 2008 R2 – based computers in general andWindows 2000 Server,Windows Server 2003, Windows Server 2008 and WindowsServer 2008 R2 – based domain controllers in particular.

For more information about domain names, see “How DNS Support for Active DirectoryWorks.”








32

Active Directory Objects

Active Directory objects represent the entities that make up a network. An object is a distinct,named set of attributes that represents something concrete, such as a user, a printer, or anapplication. When you create an Active Directory object, Active Directory generates valuesfor some of the attributes of the object; others you provide. For example, when you create auser object, Active Directory assigns a globally unique identifier (GUID) and a security

identifier (SID), and you provide values for such attributes of the user as the given name,surname, logon identifier, and so on. This section describes the key identifiers assigned toobjects by Active Directory and their associated naming schemes

Object Uniqueness

Each object in Active Directory is associated with at least one identifier that identifies thatobject as unique in an enterprise. This object identifier is referred to as a globally uniqueidentifier (GUID). Another identifier, referred to as a security ID (SID), is used on security-enabled objects so that authentication and authorization services can determine its origin andvalidity within the domain or forest. Active Directory objects that are security-enabled are

referred to as security principals.

A security principal is an object managed by Active Directory that is automatically assigned aSID for logon authentication and for access to resources. A security principal can be a useraccount, computer account, or a group, and is unique within a single domain. A security

principal object must be authenticated by a domain controller in the domain in which thesecurity principal object is located, and it can be granted or denied access to networkresources.

GUIDs

Every object in Active Directory has a GUID, a 128-bit number assigned by the DirectorySystem Agent when the object is created. The GUID, which cannot be altered or removed, isstored in an attribute that is required for every object, not just security principal objects. TheGUID of each object is stored in its Object-GUID (objectGUID) property. When storing areference to an Active Directory object in an external store (for example, a Microsoft SQLServer database), the objectGUID value should be used.

Active Directory uses GUIDs internally to identify objects. For example, the GUID is one ofthe properties of an object that is published in the global catalog. Searching the global catalogfor the GUID of a User object will yield results if the user has an account somewhere in the

enterprise. In fact, searching for any object by Object-GUID might be the most reliable wayof finding the object you want to find. This is because the values of other object propertiescan change, but the Object-GUID never changes. When an object is assigned a GUID, italways keeps that value.

Security IDs (SIDs)

When a new security principal is created, Active Directory stores the SID of the security principal in the Object-SID (objectSID) property of the object and assigns the new object aGUID. Each security principal (as well as the domain itself) has a SID, which is the propertythat authoritatively identifies the object to the Windows security subsystem. The SID of a

user, group, or computer is derived from the SID of the domain to which the object belongs;



33

this SID is made up of the value of the domain SID and one additional 32-bit componentcalled the relative identifier (RID).

In Windows 2000 and later operating systems, ACLs are used to identify users and groups bySID, not by GUID — even ACLs on resources in Active Directory. A user gains access to, forexample, a Group Policy object, based on one of the SIDs belonging to the user, not based onthe GUID for the User object.

SIDs and Migrations

When an employee moves to a different location or to a new position, their user accountmight need to be moved or migrated to a different domain within the organization. Migratinga user account from one domain to another replaces the SID of the account with a new SIDand new RID assigned by the new domain. For example, if Nicolette moves from NorthAmerica to Europe, but stays in the same company, her account can be transferred with her.An administrator with the appropriate credentials can simply move her User object from, say,the Noam.wingtiptoys.com domain to the Euro.wingtiptoys.com domain. When the account ismoved, the User object for her account needs a new SID. The domain identifier portion of aSID issued in Noam is unique to Noam, so the SID for her account in Euro has a differentdomain identifier. The RID portion of a SID is unique relative to the domain, so if the domainchanges, the RID also changes.

Thus when a User object moves from one domain to another, a new SID must be generatedfor the user account and stored in the Object-SID property. Before the new value is written tothe property, the previous value is copied to another property of a User object, SID History(SIDHistory). This property can hold multiple values. Each time a User object moves toanother domain, a new SID is generated and stored in the Object-SID property and anothervalue is added to the list of old SIDs in SIDHistory. When a user logs on and is successfullyauthenticated, the domain authentication service queries Active Directory for all of the SIDs

associated with the user — the current SID of the user, any old SIDs of the user, and the SIDsfor the groups to which the user belonged. All of these SIDs are returned to the authenticationclient and are included in the access token of the user. When the user tries to gain access to aresource, any one of the SIDs in the access token, including one of the SIDs in SIDHistory,can be used to authorize the user to the resource.

For more information about SIDHistory, see “How Security Identifiers Work ” and “SecurityConsiderations for Trusts.”

Object Names

Object names are used to identify accounts in an Active Directory network. Objects have bothLDAP-related names and logon names. Each object name represents a unique attribute forthat object.

LDAP-Related Names

Active Directory is a Lightweight Directory Access Protocol (LDAP)-compliant directoryservice. In Windows Server 2003 and higher operating systems, all access to Active Directoryobjects occurs through LDAP. LDAP defines what operations can be performed in order toquery and modify information in a directory, and how information in a directory can beaccessed in compliance with established security requirements. Therefore, you can use LDAP

to find or enumerate directory objects and to query or administer Active Directory.










34

It is possible to query by LDAP distinguished name (which is itself an attribute of the object), but because these names are difficult to remember, LDAP also supports querying by otherattributes (for example, by using the attribute “color” to find “color” printers). This lets you

find an object without having to know the distinguished name. If your organization hasseveral domains, it is possible to use the same user name or computer name in differentdomains.

Like some other types of object names, LDAP-related names can change. The SID, globally

unique ID, LDAP distinguished name, and canonical name generated by Active Directoryuniquely identify each user, computer, or group in the forest. If the security principal object isrenamed or moved to a different domain, the SID, LDAP relative distinguished name, LDAPdistinguished name, and canonical name change, but the globally unique ID generated byActive Directory does not change.

Distinguished Name

Objects are located within Active Directory domains according to a hierarchical path, whichincludes the labels of the Active Directory domain name and each level of container objects.

The full path to the object is defined by the distinguished name (also known as a DN). Thename of the object itself, separate from the path to the object, is defined by the relativedistinguished name.

The distinguished name is unambiguous (identifies one object only) and unique (no otherobject in the directory has this name). By using the full path to an object, including the objectname and all parent objects to the root of the domain, the distinguished name uniquely andunambiguously identifies an object within a domain hierarchy. It contains sufficientinformation for an LDAP client to retrieve information the about the object from thedirectory.

For example, a user named Samantha Smith works in the marketing department of a companyas a promotions coordinator. Therefore, her user account is created in an organizational unitthat stores the accounts for marketing department employees who are engaged in promotionalactivities. The user identifier for Samantha Smith is Ssmith, and she works in the NorthAmerican branch of the company. The root domain of the company is wingtiptoys.com, andthe local domain is noam.wingtiptoys.com. The following distinguished name is of the userobject Ssmith in the noam.wingtiptoys.com domain.

cn=Ssmith,ou=Promotions,ou=Marketing,dc=noam,dc=wingtiptoys,dc=com

Note

Active Directory tools do not display the LDAP abbreviations for the namingattributes domain component (dc=), organizational unit (ou=), common name (cn=),and so forth. These abbreviations are shown only to illustrate how LDAP recognizesthe portions of the distinguished name. Most Active Directory tools display objectnames in canonical form, as described later in this section. Because distinguishednames are difficult to remember, it is useful to have other means for retrieving objects.Active Directory supports querying by attribute (for example, the building numberwhere you want to find a printer), so an object can be found without having to knowthe distinguished name.



35

Relative Distinguished Name

The relative distinguished name of an object is the part of the name that is an attribute of theobject itself — the part of the object name that identifies this object as unique from its siblingsat its current level in the naming hierarchy. Using the distinguished name mentioned earlier,the relative distinguished name of the object is SSmith. The relative distinguished name of the

parent object is Promotions. The maximum length allowed for a relative distinguished name is

255 characters, but attributes have specific limits imposed by the directory schema. Forexample, in the case of the common name (cn), which is the attribute type often used fornaming the relative distinguished name, the maximum number of characters allowed is 64.

Active Directory relative distinguished names are unique within a specific parent — that is,Active Directory does not permit two objects with the same relative distinguished name underthe same parent container. However, two objects can have identical relative distinguishednames but still be unique in the directory because within their respective parent containers,their distinguished names are not the same. (For example, the objectcn=SSmith,dc=noam,dc=wingtiptoys,dc=com is recognized by LDAP as being different fromcn=SSmith,dc=wingtiptoys,dc=com.)

The relative distinguished name for each object is stored in the Active Directory database.Each record contains a reference to the parent of the object. By following the references to theroot, the entire distinguished name is constructed during an LDAP operation.

Canonical Name

By default, the user interface in Windows 2000 and higher operating systems, displays objectnames that use the canonical name, which lists the relative distinguished names from the rootdownward and without RFC 1779 naming attribute descriptors; it uses the DNS domain name

(the form of the name where domain labels are separated by periods). For the LDAPdistinguished name in the previous example, the respective canonical name would appear asfollows: noam.wingtiptoys.com/marketing/promotions/ssmith

Note

If the name of an organizational unit contains a forward slash character (/), ActiveDirectory requires an escape character in the form of a backslash (\) to distinguish

between forward slashes that separate elements of the canonical name and the forwardslash that is part of the organizational unit name. The canonical name that appears inActive Directory Users and Computers properties pages displays the escape character

immediately preceding the forward slash in the name of the organizational unit. Forexample, if the name of an organizational unit is Promotions/Northeast and the nameof the domain is Wingtiptoys.com, the canonical name is displayed asWingtiptoys.com/Promotions\/Northeast.

Logon Names

A unique logon name is required for user security principals to gain access to a domain and itsresources. Security principals are objects to which Windows security is applied in the form ofauthentication and authorization. Users are security principals, and they are authenticated(their identity is verified) at the time they log on to the domain or local computer. They areauthorized (allowed or denied access) when they use resources.



36

In Windows 2000 and higher operating systems, user security principals require a uniquelogon name to gain access to a domain and its resources. Security principal objects might berenamed, moved, or contained within a nested domain hierarchy. The names of security

principal objects must conform to the following guidelines:

The name cannot be identical to any other user, computer, or group name in thedomain. It can contain up to 20 uppercase or lowercase characters except for thefollowing:" / \ [ ] : ; | = , + * ? <>

A user name, computer name, or group name cannot consist solely of periods (.) orspaces.

The two types of logon names are user principal name and Security Account Manager accountnames.

User Principal Name

In Active Directory, each user account has a user principal name (UPN) in the formatuser @ DNS-domain-name. A UPN is a friendly name assigned by an administrator that is

shorter than the LDAP distinguished name used by the system and easier to remember. TheUPN is independent of the DN of the user object, so a user object can be moved or renamedwithout affecting the user logon name. When logging on using a UPN, users do not have tochoose a domain from a list on the logon dialog box.

The three parts of a UPN are the UPN prefix (user logon name), the @ character, and theUPN suffix (usually a domain name). The default UPN suffix for a user account is the DNSname of the Active Directory domain where the user account is located. For example, theUPN for user Frank Miller, who has a user account in the Wingtiptoys.com domain (ifWingtiptoys.com is the only domain in the tree), is [email protected]. The UPN isan attribute (userPrincipalName) of the security principal object. If the userPrincipalNameattribute of a User object has no value, the User object has a default UPN ofuserName@DnsDomainName.

If your organization has many domains forming a deep domain tree organized by departmentand region, default UPN names can become unwieldy. For example, the default UPN for auser might be Sales.westcoast.microsoft.com. The logon name for a user in that domain isuser @sales.westcoast.microsoft.com. Instead of accepting the default DNS domain name asthe UPN suffix, you can simplify both administration and user logon processes by providing asingle UPN suffix for all users. (The UPN suffix is used only within the Active Directorydomain and is not required to be a valid DNS domain name.) You can choose to use your e-

mail domain name as the UPN suffix — [email protected]. This gives the user in theexample the UPN name of user @microsoft.com.

For a UPN – based logon, a global catalog might be necessary, depending on the user loggingon and the domain membership of the computer where the user logs on. A global catalog isneeded if the user logs on with a non-default UPN and the computer account of the user is in adifferent domain than the user account of the user. For example, if, instead of accepting thedefault DNS domain name as the UPN suffix (in the exampleuser @sales.westcoast.microsoft.com), you provide a single UPN suffix for all users (so thatthe user then becomes simply user @microsoft.com), a global catalog is required for logon.



37

You use the Active Directory Domains and Trusts tool to manage UPN suffixes for a domain.UPNs are assigned at the time a user is created. If you have created additional suffixes for thedomain, you can select from the list of available suffixes when you create the user or groupaccount. The suffixes appear in the list in the following order:

Alternate suffixes (if any; last one created appears first)

Root domain

The current domain

SAM Account Name

A Security Accounts Manager (SAM) account name is required for compatibility withWindows NT 3. x and Windows NT 4.0 domains. The user interface in Windows 2000 orhigher operating systems, refers to the SAM account name as User logon name (pre-Windows 2000). There is no interoperability between Windows Server 2008 or higherdomains and Winows NT 3 and Windows NT 4.0 domains.

SAM account names are sometimes referred to as flat names because — unlike DNS names — SAM account names do not use hierarchical naming. Because SAM names are flat, eachone must be unique in the domain.

Organizational Units

Active Directory allows administrators to create a hierarchy within a domain that meets theneeds of their organization. The object class of choice for building these hierarchies is theorganizationalUnit, a general-purpose container that can be used to group most other objectclasses together for administrative purposes. An organizational unit in Active Directory is

analogous to a directory in the file system; it is a container that can hold other objects. Youcan use organizational units for purposes such as creating an administrative hierarchy,applying Group Policy, and delegating control of administration.

Administrative Hierarchy

Organizational units can be nested to create a hierarchy within a domain and form logicaladministrative units for users, groups, and resource objects, such as printers, computers,applications, and file shares. The organizational unit hierarchy within a domain is independentof the structure of other domains; each domain can implement its own hierarchy. Likewise,domains that are managed by a central authority can implement similar organizational unit

hierarchies. The structure is completely flexible, which allows organizations to create anenvironment that mirrors the administrative model, whether it is centralized or decentralized.

Group Policy

Group Policy can be applied to organizational units to define the abilities of groups ofcomputers and users that are contained within the organizational units. Levels of control rangefrom complete desktop lockdown to a relatively autonomous user experience. Group Policycan affect functionality, such as what applications are available to a group of users, whatfeatures within an application are accessible on a particular computer, where documents aresaved, and can affect access and user permissions. Group Policy also affects where, when, and

how application and operating system updates or special scripts are applied.



38

Group Policy settings are stored as Group Policy objects in Active Directory. A Group Policyobject can be associated with one or more Active Directory containers, such as a site, domain,or organizational unit.

Delegation of Control

The Active Directory object-based security model implements default access control that is propagated down a subtree of container objects. You can use this technology to determine thesecurity for an entire group of objects according to the security that you set on theorganizational unit that contains the objects. By default, most Active Directory objects inheritACEs from the security descriptor on their parent container object. If necessary, you canchange the inherited permissions. However, as a best practice, you should avoid changing thedefault permissions or inheritance settings on Active Directory objects unless you haveadditional security requirements.

Note

Because Active Directory is indexed, you can organize the tree to match your

administrative model, instead of having to organize it for ease of browsing.

Inheritance enables the access control information defined at a container object in ActiveDirectory to apply to the security descriptors of any subordinate objects, including othercontainers and their objects. One benefit this provides is that it eliminates the need to apply

permissions each time a child object is created. You can apply or delegate administrativecontrol over directory objects to organizational units by setting access control.

This inheritance of access effectively delegates administrative control to individuals in theorganization. The best way to take full advantage of delegation and inherited control ondirectory objects is to organize the hierarchy to match the way that the directory is

administered.

User Accounts and Access Control

Active Directory authenticates and authorizes security principals such as user, inetorgperson,and computer accounts to access shared resources on the network. The Local SecurityAuthority (LSA) is the security subsystem responsible for all interactive user authenticationand authorization services on a local computer. The LSA also processes authenticationrequests made through the Kerberos V5 protocol or the NTLM protocol in Active Directory.

Once the identity of a user is verified in Active Directory, the LSA on the authenticating

domain controller creates a security access token for that user. An access token contains thename of the user, the groups to which that user belongs, a SID for the user, SIDs included inthe SIDHistory property and all of the SIDs for the groups to which the user belongs.

The information in the access token is used to determine the level of access a user has toresources whenever the user attempts to access them. The SIDs in the access token arecompared with the list of SIDs that make up the discretionary access control list (DACL) onthe resource to ensure that the user has sufficient permission to access the resource. This is

because the access control process identifies user accounts by SID rather than by name.

Note



39

When a domain controller provides an access token to a user, the access token onlycontains information about membership in domain local groups if the domain localgroups are local to the domain where the domain controller is located.

User Authorization

In addition to securing network access through user authentication, Active Directory protectsshared resources by facilitating user authorization. Once a user logon has been authenticated

by Active Directory, the user rights assigned to the user through security groups and the permissions assigned on the shared resource determine if the user will be authorized to accessthat resource. This authorization process protects shared resources from unauthorized accessand permits access to only authorized users or groups.

Administrators can use access control to manage user access to shared resources for security purposes. In Active Directory, access control is administered at the object level by settingdifferent levels of access, or permissions, to objects, such as Full Control, Write, Read,Delete, or No Access. Access control in Active Directory defines how users can use ActiveDirectory objects. By default, most permissions on objects in Active Directory are at the most

secure setting.

The elements that define access control permissions on Active Directory objects includesecurity descriptors and the concept of object inheritance.

Security Descriptors

Access control permissions are assigned to securable objects and Active Directory objects tocontrol how different users can use each object. A securable object, or shared resource, is anobject that is intended to be used over a network by one or more users, and includes files,

printers, folders, and services. All securable objects and Active Directory objects store access

control permissions in security descriptors.

A security descriptor contains two access control lists (ACLs) used to assign and tracksecurity information for each object: these are the discretionary access control list (DACL)and the system access control list (SACL).

Discretionary access control lists (DACLs). DACLs identify the users and groups that areassigned or denied access permissions on an object. If a DACL does not explicitly allowaccess to a user, or to any group that a user is a member of, the user is implicitly deniedaccess to that object. By default, a DACL is controlled by the owner of an object or the personwho created the object (In Windows, the creator of an object is also the owner). The DACL

contains access control entries (ACEs) that determine user access to the object.

System access control lists (SACLs). SACLs identify the users and groups that you want toaudit when they successfully access or fail to access an object. Auditing is used to monitorevents related to system or network security, to identify security breaches, and to determinethe extent and location of any damage. By default, a SACL is controlled by the owner of anobject or the person who created the object. A SACL contains ACEs that determine whetherto record a successful or failed attempt by a user to access an object using a given permission,for example, Full Control or Read.

Active Directory allows you to apply access control permissions to objects at very low levels,

including the ability to assign permissions on a per-attribute basis. To view DACLs and



40

SACLs on Active Directory objects using Active Directory Users and Computers, on theView menu, click Advanced Features to access the Security tab for each object. You can alsouse the DSACLS support tool to manage access control lists in Active Directory.

By default, DACLs and SACLs are associated with every Active Directory object, whichhelps reduce attacks to your network by malicious users or any accidental mistakes made bydomain users.

Computer Accounts

Each computer account created in Active Directory has a relative distinguished name, a pre-Windows 2000 computer name (Security Accounts Manager account name), a primary DNSsuffix, a DNS host name, and a service principal name (SPN). The administrator enters thecomputer name when creating the computer account. This computer name is used as theLDAP relative distinguished name.

Active Directory suggests the pre-Windows 2000 name using the first 15 bytes of the relativedistinguished name. The administrator can change the pre-Windows 2000 name at any time.

The DNS name for a host is called a full computer name and is a DNS fully qualified domainname (FQDN). The full computer name is a concatenation of the computer name (the first 15

bytes of the SAM account name of the computer account without the $ character) and the primary DNS suffix (the DNS domain name of the domain in which the computer accountexists). It is listed on the Computer Name tab in System Properties in Control Panel.

By default, the primary DNS suffix portion of the FQDN for a computer must be the same asthe name of the Active Directory domain where the computer is located. To allow different

primary DNS suffixes, a domain administrator might create a restricted list of allowedsuffixes by creating the msDS-AllowedDNSSuffixes attribute in the domain object container.

This attribute is created and managed by the domain administrator using Active DirectoryService Interfaces (ADSI) or LDAP.

The SPN is a multivalue attribute. It is usually built from the DNS name of the host. The SPNis used in the process of mutual authentication between the client and the server hosting a

particular service. The client finds a computer account based on the SPN of the service towhich it is trying to connect. The SPN can be modified by members of the Domain Adminsgroup.

Domain and Forest Protocols and Programming Interfaces

The primary protocol that is used by domain controllers in every domain throughout the forestis LDAP, which runs on top of TCP/IP. LDAP is both a protocol and an API. In addition, thesecured communications between domain controllers must use the remote procedure call(RPC) protocol for Messaging Application Programming Interface (MAPI), replication,domain controller management, and SAM-related operations.

LDAP

LDAP is a directory service protocol that specifies directory communications. It runs directlyover TCP/IP, and it can also run over User Datagram Protocol (UDP) connectionless

transports. Clients can use LDAP to query, create, update, and delete information that is



41

stored in a directory service over a TCP connection through the TCP default port 389. ActiveDirectory supports LDAP v2 (RFC 1777) and LDAP v3 (RFC 3377). LDAP v3 is an industrystandard that can be used with any directory service that implements the LDAP protocol.LDAP is the preferred and most common way of interacting with Active Directory.

Historically, LDAP is a simplified (lightweight) version of Directory Access Protocol (DAP),which is the original protocol that was used to interact with X.500 directories. X.500 definesan earlier set of standards that was developed by the International Organization for

Standardization (ISO). LDAP is simpler than DAP in two key ways:

Rather than using its own protocol stack according to the Open SystemsInterconnection (OSI) networking model, LDAP communicates over Internet Protocol(IP) by using either UDP or TCP.

LDAP syntax is easier to use than DAP syntax.

For these reasons, LDAP is widely used and accepted as the standard protocol for directoryservice access. The following key aspects characterize LDAP:

The protocol is carried directly over TCP for connection-oriented transport (receipt ofdata is acknowledged) and over UDP for connectionless transport (sent or receiveddata is not acknowledged).

Most protocol data elements can be encoded as ordinary strings, for example, asdistinguished names.

Referrals to other servers can be returned to the client.

Simple Authentication and Security Layer (SASL) mechanisms can be used withLDAP to provide associated security services. SASL Digest is supported as the

authentication standard for LDAP.

Attribute values and distinguished names can be internationalized using the ISO 10646character set.

The protocol can be extended to support new operations, and controls can be used toextend existing operations.

The schema is published through an attribute on the directory root object (rootDSE)for use by clients.

For more information about LDAP, see “How Active Directory Searches Work .”

RPC

Active Directory uses remote procedure call (RPC) for replication (REPL) and domaincontroller management communications, MAPI communications, and SAM-relatedcommunications. RPC is a powerful, robust, efficient, and secure interprocess communication(IPC) mechanism that enables data exchange and invocation of functionality located in adifferent process. That different process can be on the same computer, on the local areanetwork (LAN), or across the Internet.






42

Authentication Protocols

Domain controllers authenticate users and applications by using one of two protocols: eitherthe Kerberos version 5 authentication protocol or the NTLM authentication protocol. Whentwo Active Directory domains or forests are connected by a trust, authentication requestsmade using these protocols can be routed to provide access to resources in both forests.

NTLM

The NTLM version 2 (NTLMv2) authentication protocol is a challenge/responseauthentication protocol. It is supported in Windows Server 2008, Windows Vista, WindowsServer 2003, Windows 2000, and Windows XP, but it is not the default authentication

protocol. Kerberos v5 is the default for these versions except when exchangingcommunications with a computer running Windows NT Server 4.0 or earlier. Networks withthis configuration are referred to as mixed-mode. NTLM is also the authentication protocolfor computers that are not participating in a domain, such as stand-alone servers andworkgroups.

In Windows 7 and Windows Server 2008 R2, you can restrict the usage of NTLM. For moreinformation see, Introducing the Restriction of NTLM Authentication(http://technet.microsoft.com/en-us/library/dd560653(WS.10).aspx)

When the NTLM protocol is used between a client and a server, the server must contact adomain authentication service on a domain controller to verify the client credentials. Theserver authenticates the client by forwarding the client credentials to a domain controller inthe client account domain.

Kerberos Version 5 Protocol

The Kerberos version 5 protocol is the default authentication protocol used by computersrunning Windows 2000 or later operating system versions. This protocol is specified in RFC1510 and is fully integrated with Active Directory, server message block (SMB), HTTP, andRPC, as well as the client and server applications that use these protocols. In Active Directorydomains, the Kerberos protocol is used to authenticate logons when any of the followingconditions is true:

The user who is logging on uses a security account in an Active Directory domain.

The computer that is being logged on to has an operating system that is Windows 2000or later.

The computer that is being logged on to is joined to an Active Directory domain.

The computer account and the user account are in the same forest.

The computer from which the user is trying to access resources is located in a non-Windows-based operating system Kerberos version 5 realm.

If any computer involved in a transaction does not support the Kerberos version 5 protocol,the NTLM protocol is used.



43

The authentication protocol of choice for Active Directory authentication requests is KerberosV5. In contrast to NTLM, when the Kerberos protocol is used, the server does not have tocontact the domain controller. Instead, the client gets a ticket for a server by requesting onefrom a domain controller in the server account domain; the server validates the ticket withoutconsulting any other authority.

For more information about Kerberos, see “How the Kerberos Version 5 AuthenticationProtocol Works.”

Active Directory APIs

You can use the following application programming interfaces (APIs) to access informationin any LDAP directory including Active Directory:

Active Directory Service Interfaces (ADSI)

LDAP C API

REPL

MAPI

SAM

ADSI

Active Directory Service Interfaces (ADSI) provides a simple, powerful, object-orientedinterface to Active Directory. ADSI makes it easy for programmers and administrators tocreate directory programs by using high-level tools, such as Microsoft Visual Basic, withouthaving to worry about the underlying differences between the different namespaces.

ADSI is supplied as a software development kit that enables you to build or buy programs thatgive you a single point of access to multiple directories in your network environment, whetherthose directories are based on LDAP or another protocol. ADSI is fully scriptable for ease ofuse by administrators.

ADSI also enables access to Active Directory by exposing objects stored in the directory asComponent Object Model (COM) objects. A directory object is manipulated using themethods available on one or more COM interfaces. ADSI has a provider-based architecturethat allows COM access to different types of directories for which a provider exists.

LDAP C

The LDAP C API, defined in Internet standard RFC 1823, is a set of low-level C-languageAPIs to the LDAP protocol. Microsoft supports LDAP C APIs on all Windows platforms.

Developers have the choice of writing Active Directory-enabled applications using LDAP CAPIs or ADSI. LDAP C APIs are most often used to ease portability of directory-enabledapplications to the Windows platform. ADSI is a more powerful language and is moreappropriate for developers writing directory-enabled code on the Windows platform.









44

LDAP is the primary interface for the data store. Directory clients use LDAP v3 to connect tothe DSA through the LDAP interface. The LDAP interface is part of Wldap32.dll. LDAP v3is backward compatible with LDAP v2.

REPL

The REPL management interface provides functionality for finding data about domaincontrollers, converting the names of network objects between different formats, manipulatingSPNs and DSAs, and managing replication of servers.

MAPI

Messaging clients gain access to the Microsoft Exchange Server directory service by usingMAPI address book providers. For compatibility with existing messaging clients, ActiveDirectory supports the MAPI-RPC address book provider, which provides access to ActiveDirectory, for example, to find the telephone number of a user.

SAM

Security Accounts Manager (SAM) is a proprietary interface for connecting to the DSA on behalf of clients that use Windows NT 4.0 or earlier. These clients use Windows NT 4.0networking APIs to connect to the DSA through SAM. Replication with Windows NT 4.0

backup domain controllers (BDCs) goes through the SAM interface as well.

Domain and Forest Processes and Interactions

Many network related operations depend on domains and forests in order to complete varioustasks. This section describes some of the processes and interactions that commonly occurwithin the boundaries of domains or forests.

Logging on to a Domain

When a user with an account in an Active Directory domain logs on at the keyboard of acomputer running a Windows 2000 or later operating system, the logon request is processedin three stages:

1.

The user requests admission to the ticket-granting service for the domain.

This is accomplished through an Authentication Service (AS) Exchange between the

Kerberos security support provider (SSP) on the computer and the Key DistributionCenter (KDC) in the domain in which the user account exists. The result is a ticket-granting ticket (TGT) that the user can present in future transactions with this KDC.

2.

The user requests a ticket for the computer.

This is accomplished through a Ticket-Granting Service (TGS) Exchange between theKerberos SSP on the computer and the KDC for the domain in which the computeraccount exists. The result is a session ticket that the user can present when he or sherequests access to system services on the computer.



45

3.

The user requests admission to Local System services on the computer.

This is accomplished when the Kerberos SSP on the computer presents a session ticketto the LSA on the computer.

If the account domain of the computer is different from the account domain of the user, anextra step is involved. Before the Kerberos SSP can request a session ticket for the computer,it must ask the KDC in the domain where the user account exists for a TGT that is good for

admission to the KDC in the domain where the computer account exists. The SSP can then present the TGT to the KDC in the domain of the computer and get a session ticket for thecomputer.

The precise steps in the logon process depend on how the computer is configured. Withstandard configurations of Windows, interactive users log on with a password. In anotheroptional configuration of Windows, users log on with a smart card. Although the basic

process is the same for both configurations, there are some differences. For more informationabout the domain logon process, see “How Interactive Logon Works.”

Processing Authentications Across Domains and Forests

When a request for authentication is referred to a domain, before the domain controller in thatdomain authenticates the user to access resources in the domain, it must determine whether atrust relationship exists with the domain from which the request comes, as well as thedirection of the trust and whether the trust is transitive or nontransitive. The authentication

process between trusted domains varies according to the authentication protocol in use. TheKerberos version 5 and NTLM protocols in Windows 2000 Server, Windows Server 2003,Windows Server 2008, and Window Server R2, process referrals for authentication to adomain differently, as do other authentication protocols, such as Digest and SChannel, thatWindows 2000 Server, Windows Server 2003, Windows Server 2008, and Window Server R2

support.

In an Active Directory environment the Kerberos-based authentication process is mostcommonly used. To access a shared resource in another domain by using Kerberosauthentication, a computer where the user logs on first requests a ticket from a domaincontroller in its account domain to the server in the trusting domain that hosts the requestedresource. This ticket is then issued by an intermediary trusted by both the requesting computerand the server. The computer then presents this trusted ticket to the server in the trustingdomain for authentication. This process, however, becomes more complex when aworkstation in one forest attempts to access data on a resource computer in another forest.

In this case, the Kerberos authentication process contacts the domain controller for a serviceticket to the SPN of the resource computer. Once the domain controller queries the globalcatalog and determines that the SPN is not in the same forest as the domain controller, thedomain controller sends a referral for its parent domain back to the workstation. At that point,the workstation queries the parent domain for the service ticket and continues to follow thereferral chain until it reaches the domain where the resource is located. For more detailedinformation about how authentication requests are processed across domains and forests, see“How Domain and Forest Trusts Work .”

Joining a Computer to a Domain











46

Joining a computer to a domain creates the computer account object for the client in an ActiveDirectory location where all computer accounts are created by default during a join operation.The default location is set to the Computers container in Active Directory. A computeraccount differs from a user account in that it identifies the computer to the domain, while auser account identifies a user to a computer.

The act of joining a computer to a domain creates an account for the computer on the domainif it does not already exist. When you join a client computer running Windows 2000 or later,

the following events occur:

The domain name is validated.

A domain controller in the domain is located through a call to the DsGetDcName API.

A session is established with the domain controller under the security context of the passed-in credentials that are supplied in the Network Identification tab underSystem Properties in Control Panel.

The computer account is enabled. If the flags so specify

(NETSETUP_ACCT_CREATE), the APIs create the computer account on the domaincontroller.

The local password for this account is created in the Local Security Authority (LSA).

The local primary domain information LSA policy is set to refer to the new domain.This includes the domain name and the domain SID.

Note

o

For clients running Windows 2000 or later, the LSA policy consists of the

domain name, domain SID, DNS domain name, DNS forest name, and domainGUID.

The DNS name assigned to the local computer is updated.

The local group membership is changed to add members of the Domain Admins groupto the Local Accounts Administrators group.

The Net Logon trusted domain cache is initialized to the trusted domains domain list.

For clients running Windows 2000 or later, the Windows Time Service is enabled and

started.

The Net Logon service is started.

To join a workstation or member server to a domain, you can use the Netdom tool. Forexample, to join a workstation to the Wingtiptoys.com domain in the engineeringorganizational unit, type the following command at the workstation:

Netdom join /d:wingtiptoys.com /OU:OU=engineering,DC=wingtiptoys,DC=com



47

When a computer joins a domain, the following changes occur on domain controllers runningWindows 2000 Server, Windows Server 2003, Windows Server 2008 and Window Server2008 R@:

A computer object is created. The name of this object is generated by appending adollar sign ($) to the name (uppercase letters) of the client.

On Windows 2000 Server and later versions of Microsoft Server operating systems –

based domain controllers only, the Net Logon service creates SPNs on the computerobject.

Netsetup.log

When joining a computer to an Active Directory domain, the Networking Setup (NetSetup)utility installs all the necessary Microsoft supported networking components. The

Netsetup.log file provides information about attempts to join domains and records any errorsthat might prevent the join operation from succeeding.

Registering DNS Names and Locating Domain Controllers

When a Windows 2000 Server and later versions of Microsoft Server operating systems –

based member server is promoted to a domain controller by installing Active Directory, the Net Logon service registers the DNS resource records necessary for network hosts andservices to locate the domain controller on the network. When network hosts and servicesattempt an operation (such as joining a domain) that requires a domain controller, the locatormechanism attempts to locate the domain controller through DNS.

DNS is used because every Active Directory – based domain controller dynamically registersSRV records in DNS. The SRV records enable servers to be located by service type (for

example, LDAP) and protocol (for example, TCP). Because domain controllers are LDAPservers that communicate over TCP, SRV records can be used to find the DNS computernames of domain controllers. In addition to registering LDAP-specific SRV records, NetLogon also registers Kerberos v5 authentication protocol – specific SRV records to enablelocating servers that run the Kerberos Key Distribution Center (KDC) service.

Domain controllers not only register their DNS domain names on a DNS server, but alsoregister their NetBIOS names by using a transport-specific mechanism (for example, WINS).Thus, a DNS client locates a domain controller by querying DNS, and a NetBIOS clientlocates a domain controller by querying the appropriate transport-specific name service. Thedomain controller locator service consists of two main parts:

Locator finds which domain controllers are registered with a DNS server.

Locator submits a DNS query to the DNS server to locate a domain controller in thespecified domain.

After this query is resolved, an LDAP User Datagram Protocol (UDP) lookup is sent to one ormore of the domain controllers listed in the response to the DNS query to ensure theiravailability. Finally, the Net Logon service caches the discovered domain controller to aid inresolving future requests.



For more information about the DC Locator process, see “How DNS Support for ActiveDirectory Works.”

Raising Domain and Forest Functional Levels

When Active Directory is installed on a server, a set of basic Active Directory features isenabled by default. In addition to the basic Active Directory features on individual domaincontrollers, there are new domain- and forest-wide Active Directory features available whenall domain controllers in a domain or forest are running Windows Server 2003. This alsoholds true for Windows Server 2008 and Windows Server 2008 R2.

To enable the new domain-wide features, all domain controllers in the domain must berunning Windows Server 2003, and the domain functional level must be raised to WindowsServer 2003. To enable new forest-wide features, all domain controllers in the forest must berunning Windows Server 2003, and the forest functional level must be raised to WindowsServer 2003. The same is true for Windows Server 2008 and Windows Server 2008 R2.

Before raising the forest functional level to Windows Server 2003, verify that all domains in

the forest are set to the domain functional level of Windows 2000 native or WindowsServer 2003. Note that domains that are set to the domain functional level of Windows 2000native will automatically be raised to Windows Server 2003 at the same time the forestfunctional level is raised to Windows Server 2003. For more detailed information aboutWindows Server 2008 and Windows Server 2008 R2 functional levels, see the “How ActiveDirectory Functional Levels Work .”

Replicating Directory Partitions

Active Directory uses RPC over IP to transfer replication data between domain controllers.RPC over IP is used for both intersite and intrasite replication. To keep data secure while in

transit, RPC over IP replication uses both authentication (using the Kerberos V5authentication protocol) and data encryption.

When a direct or reliable IP connection is not available, replication between sites can beconfigured to use the Simple Mail Transfer Protocol (SMTP). However, SMTP replicationfunctionality is limited, and requires an enterprise certification authority (CA). SMTP canonly be used to replicate the configuration, schema and application directory partitions, anddoes not support the replication of domain directory partitions. For more detailed informationabout the replication process, see “How Active Directory Replication Topology Works.”















domains and forests

Documents